Bartlett Weekly Collierville recovers from ransomware as other cities get hit
Town officials in Collierville realized in July that hackers had infiltrated the government’s computer system.
It soon became clear that the town had been targeted for a ransomware attack. Criminals locked up computer files using rogue software, then demand payment to unlock them. The computer attack on the small suburban government fits into a larger pattern that the FBI is warning the public about.
“And part of the reason of wanting to get the message out is we’re seeing it happen more and more to small municipalities, police departments,” said Jeremy Baker, assistant special agent in charge for the Memphis office of the FBI. These smaller organizations tend to have less funding and criminals see them as softer targets for ransomware, he said.
“And you can imagine if your local utility company gets hit with one of these, it might impact service, or the bills being generated, or the person who comes out to read your meter,” said Baker.
“It really can throw some of these municipalities or related companies or organizations into a tailspin. We don’t think how much of our jobs involve the internet until it’s not there anymore, really. Or just basic files on our machines.”
He said he couldn’t provide statistics, but said the ransomware attacks on small institutions appear to have picked up even as overall reports of ransomware have decreased nationwide. And he said he believes ransomware attacks also hit private individuals.
The FBI says ransomware attacks have struck hospitals, school districts, state and local governments, law enforcement agencies and businesses.
Fedex was hit by a ransomware attack in May 2017, and a June 2017 attack against its European-based TNT division led to $300 million in lost revenue, the BBC reported.
In December alone, ransomware attacks were reported against governments in Galt, California,st. Lucie, Florida, Pensacola, Florida as well as New Orleans, CBS News reported.
Fortunately, people can stop many of these attacks through steps such as training employees not to click on links in questionable emails, updating software and by properly backing up files, Baker said.
“If people do those few basic steps that we just walked you through, they’re going to be much safer,” he said.
The story of how Collierville responded to the ransomware attack illustrates the threat and how to reduce the risk.
Collierville under cyberattack
The ransomware attack on Collierville was discovered on the morning of July 18, town officials have said.
“With ransomware of the type, the attacker leaves a calling card on the infected machines. This was an HTML file written as a ransom wrote. In this case, the note only had email addresses, no demands,” the town’s Information Technology Project Manager Don Petrowski, wrote in a joint email to The Commercial Appeal with Kate Watkins, the town finance official whose department oversees computer systems.
The ransomware attack hit most of the town’s Microsoft servers and froze files across multiple town departments. Suddenly, files in common formats such as Microsoft Word didn’t work, said town spokeswoman Jennifer W. Casey. For her, that meant news releases she had saved were inaccessible.
Elsewhere in the town government, documents such as police reports and utility bills were frozen, she said.
Fighting back
“In our case, the news media was airing information on the attack before we could fully assess the full range of the attack,” the town officials wrote. “Both the FBI and Secret Service contacted us within hours of hearing the coverage.”
Town administrator James Lewellen said the town government never contacted the cybercriminals and never received a ransom demand for a specific amount of money.
Instead, the information technology managers began trying to undo the hackers’ work and recover the files “to figure out if they could outsmart the code, and try to decrypt what they put on there and just steal ‘em back, so to speak,” Lewellen said.
But those decryption efforts didn’t work. The town officials soon began restoring the locked files from a backup system, and the information technology staff worked around the clock, he said.
“To get it all back up and running, we went through a period of about six weeks. We recovered in stages,” Lewellen said.
The town missed a couple of utility billing cycles, he said, but they never paid a ransom.
Lessons learned
Both the FBI agent and the Collierville
FBI tips for preventing ransomware attacks
People should avoid clicking on links or download files in unsolicited emails that appear suspicious. Institutions should train employees on what to look out for.
Make secure backups of files and keep the material stored separately from the main computer system.
Update software regularly. Hackers are always looking for weaknesses in computer systems, and software updates help close loopholes.
If you are a victim of a ransomware attack, call the Memphis FBI office at 747-4300 as well as the Secret Service at 544-0333. You may also report the incident online at Ic3.gov.
officials emphasized the importance of making backups - particularly those that are separate from the main computer system and can’t be infected through a ransomware attack.
If an institution has good backups, it can ignore the ransom demand and set about restoring its system, as Collierville did.
The FBI agent and Collierville town officials also emphasized the importance of training employees to watch out for suspicious emails.
In many cases, hackers dangle an offer of money to entice people to click on a link or download a file that infects a computer system with malicious software, said the FBI agent.
“So if you get an email that says ‘click here to claim your prize, click here for a free gift card.’ Things where your gut sort of tells you ‘this is probably too good to be true,’” Baker said.
The Collierville officials believe the hackers got access to the town’s computer system through some type of phishing email, though Petrowski and Watkins said they could never confirm this.
Should you pay a ransom?
Many of the people who carry out ransomware attacks are living somewhere outside the United States, particularly in Russia and Eastern Europe, said Baker, and they’re constantly changing tactics to exploit weaknesses in computer systems. He recommends keeping software up to date to close loopholes.
But if a cybercriminal has somehow slipped past your defenses, encrypted your files and is demanding a ransom, should you pay it?
The FBI has seen cases in which a person paid a ransom, the files were not unlocked and the criminal then demanded another ransom - and cases in which the criminal promised to unlock the whole system but only certain files were unlocked, he said.
Investigative reporter Daniel Connolly welcomes tips and comments from the public. Reach him at 529-5296, daniel.connolly@commercia lappeal.com, or on Twitter at @daniel connolly.